Add stress test scripts

cdk/cdk-domainless-mode/test-scripts/README.md

@@ -0,0 +1,31 @@
+### Test Scripts 
+
+#### Pre Requisites
+- Ensure cdk stack is deployed to your personal account
+- Create a new AL2023/Ubuntu instance in the ADStack VPC
+- Install credentials-fetcher dependencies using dnf
+```aiignore
+dnf install -y realmd
+dnf install -y oddjob
+dnf install -y oddjob-mkhomedir
+dnf install -y sssd
+dnf install -y adcli
+dnf install -y krb5-workstation
+dnf install -y samba-common-tools
+```
+- Install the latest credentials-fetcher rpm in this instance
+- Run credentials-fetcher rpm as a systemd process
+```aiignore
+systemctl start credentials-fetcher
+systemctl status credentials-fetcher
+```
+- Clone credentials-fetcher repo and create a python proto file
+```aiignore
+git clone -b dev https://github.com/aws/credentials-fetcher.git
+cd credentials-fetcher/protos
+python3 -m venv .venv
+source .venv/bin/activate
+pip install grpcio-tools
+python3 -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. credentialsfetcher.proto
+cp *.py /home/ec2-user/credentials-fetcher/cdk/cdk-domainless-mode/test-scripts
+```

cdk/cdk-domainless-mode/test-scripts/add_delete_kerberos_leases.py

@@ -0,0 +1,91 @@
+import grpc
+import credentialsfetcher_pb2
+import credentialsfetcher_pb2_grpc
+import os
+import json
+import time
+
+'''
+Use this script to create and delete N kerberos leases in a recurring loop 
+(currently set to 100 times). This script is run to test that create/delete 
+functionality has no leaks or unexpected failures when run over a long 
+period of time. This script is run on a linux instance in stand-alone mode.
+'''
+
+with open('../data.json', 'r') as file:
+    # Load the JSON data
+    data = json.load(file)
+
+def run():
+    with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
+        stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
+        number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
+        directory_name = data["directory_name"]
+        netbios_name = data["netbios_name"]
+        username = data["username"]
+        password = data["password"]
+
+        for iter in range(100):  # Repeat the process 100 times
+            lease_ids = []
+
+            # Create cred-specs for users ending with multiples of 5
+            for i in range(2, number_of_gmsa_accounts, 2):
+                credspec_contents = f"""{{
+                    "CmsPlugins": ["ActiveDirectory"],
+                    "DomainJoinConfig": {{
+                        "Sid": "S-1-5-21-2725122404-4129967127-2630707939",
+                        "MachineAccountName": "WebApp0{i}",
+                        "Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
+                        "DnsTreeName": "{directory_name}",
+                        "DnsName": "{directory_name}",
+                        "NetBiosName": "{netbios_name}"
+                    }},
+                    "ActiveDirectoryConfig": {{
+                        "GroupManagedServiceAccounts": [
+                            {{"Name": "WebApp0{i}", "Scope": "{directory_name}"}},
+                            {{"Name": "WebApp0{i}", "Scope": "{netbios_name}"}}
+                        ],
+                        "HostAccountConfig": {{
+                            "PortableCcgVersion": "1",
+                            "PluginGUID": "{{GDMA0342-266A-4D1P-831J-20990E82944F}}",
+                            "PluginInput": {{
+                                "CredentialArn": "aws/directoryservice/contoso/gmsa"
+                            }}
+                        }}
+                    }}
+                }}"""
+
+                contents = [credspec_contents]
+                response = stub.AddNonDomainJoinedKerberosLease(
+                    credentialsfetcher_pb2.CreateNonDomainJoinedKerberosLeaseRequest(
+                        credspec_contents=contents,
+                        username=username,
+                        password=password,
+                        domain=directory_name
+                    )
+                )
+                print(f"Created lease for WebApp0{i}: {response.lease_id}")
+                lease_path = (f"/var/credentials-fetcher/krbdir/"
+                              f"{response.lease_id}/WebApp0{i}/krb5cc")
+                assert os.path.exists(lease_path)
+                lease_ids.append(response.lease_id)
+
+            # Small delay to allow for processing
+            time.sleep(1)
+
+            # Delete the created cred-specs
+            for lease_id in lease_ids:
+                delete_response = stub.DeleteKerberosLease(
+                    credentialsfetcher_pb2.DeleteKerberosLeaseRequest(
+                        lease_id=lease_id
+                    )
+                )
+                print(f"Deleted lease: {delete_response.lease_id}")
+                lease_path = f"/var/credentials-fetcher/krbdir/{lease_id}"
+                print(lease_path)
+                assert not os.path.exists(lease_path)
+
+            print(f"Completed {iter} cycle of creation and deletion")
+
+if __name__ == '__main__':
+    run()

cdk/cdk-domainless-mode/test-scripts/create_domain_joined_AD_accounts.ps1

@@ -0,0 +1,33 @@
+# Use this script to create new Domain Joined gMSA accounts and add them to
+# the AD. This script is run on the Windows Instance with access to Managed AD.
+
+$username = "admin@CONTOSO.COM"
+$password = "Qn:51eJsORJNL@~{HY@?" | ConvertTo-SecureString -AsPlainText -Force
+$credential = New-Object System.Management.Automation.PSCredential($username, $password)
+
+$groupAllowedToRetrievePassword = "WebAppAccounts_OU"
+$path = "OU=MYOU,OU=Users,OU=contoso,DC=contoso,DC=com"
+
+for (($i = 1); $i -le 10;$i++)
+{
+    # Create the gMSA account
+    $gmsa_account_name = "DJ_WebApp0" + $i
+    $gmsa_account_with_domain = $gmsa_account_name + "." + $env:USERDNSDOMAIN
+    $gmsa_account_with_host = "host/" + $gmsa_account_name
+    $gmsa_account_with_host_and_domain = $gmsa_account_with_host + "." + $env:USERDNSDOMAIN
+
+    try {
+        New-ADServiceAccount -Name $gmsa_account_name `
+                             -DnsHostName $gmsa_account_with_domain `
+                             -ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain `
+                             -PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword `
+                             -Path $path `
+                             -Credential $credential `
+                             -Server $env:USERDNSDOMAIN `
+                             -KerberosEncryptionType AES256
+        Write-Output "Created gMSA account: $gmsa_account_name"
+    } catch {
+        $string_err = $_ | Out-String
+        Write-Output "Error while gMSA account creation: " + $string_err
+    }
+}

cdk/cdk-domainless-mode/test-scripts/create_domain_joined_kerberos_leases.py

@@ -0,0 +1,51 @@
+import grpc
+import credentialsfetcher_pb2
+import credentialsfetcher_pb2_grpc
+import json
+import os
+'''
+Use this script to create and test N leases for N domain-joined gMSA 
+accounts. This script is run on a linux instance in stand-alone mode.
+'''
+with open('../data.json', 'r') as file:
+    # Load the JSON data
+    data = json.load(file)
+
+def run():
+    with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
+        stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
+        number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
+        directory_name = data["directory_name"]
+        netbios_name = data["netbios_name"]
+        for i in range(1, number_of_gmsa_accounts):
+            credspec_contents = f"""{{
+                "CmsPlugins": ["ActiveDirectory"],
+                "DomainJoinConfig": {{
+                    "Sid": "S-1-5-21-2725122404-4129967127-2630707939",
+                    "MachineAccountName": "DJ_WebApp0{i}",
+                    "Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
+                    "DnsTreeName": "{directory_name}",
+                    "DnsName": "{directory_name}",
+                    "NetBiosName": "{netbios_name}"
+                }},
+                "ActiveDirectoryConfig": {{
+                    "GroupManagedServiceAccounts": [
+                        {{"Name": "DJ_WebApp0{i}", "Scope": "{directory_name}"}},
+                        {{"Name": "DJ_WebApp0{i}", "Scope": "{netbios_name}"}}
+                    ]
+                }}
+            }}"""
+
+            contents = [credspec_contents]
+            response = stub.AddKerberosLease(
+                credentialsfetcher_pb2.CreateKerberosLeaseRequest(
+                    credspec_contents=contents
+                )
+            )
+            lease_path = (f"/var/credentials-fetcher/krbdir/"
+                          f"{response.lease_id}/DJ_WebApp0{i}/krb5cc")
+            assert os.path.exists(lease_path)
+            print(f"Server response: {response}")
+
+if __name__ == '__main__':
+    run()

cdk/cdk-domainless-mode/test-scripts/create_non_domain_joined_AD_accounts.ps1

@@ -0,0 +1,29 @@
+# Use this script to create new Non Domain Joined gMSA accounts and add them to
+# the AD. This script is run on the Windows Instance with access to Managed AD.
+# NOTE: The cdk stack already creates N gmsa accounts where N corresponds to the number_of_gmsa_accounts in data
+# .json. Use this script if you would like to create new accounts without deploying/re-deploying the cdk stack
+
+$username = "admin@CONTOSO.COM"
+$password = "Qn:51eJsORJNL@~{HY@?" | ConvertTo-SecureString -AsPlainText -Force
+$credential = New-Object System.Management.Automation.PSCredential($username, $password)
+
+$groupAllowedToRetrievePassword = "WebAppAccounts_OU"
+$path = "OU=MYOU,OU=Users,OU=contoso,DC=contoso,DC=com"
+
+for (($i = 11); $i -le 200; $i++)
+{
+    # Create the gMSA account
+    $gmsa_account_name = "WebApp0" + $i
+    $gmsa_account_with_domain = $gmsa_account_name + ".contoso.com"
+    $gmsa_account_with_host = "host/" + $gmsa_account_name
+    $gmsa_account_with_host_and_domain = $gmsa_account_with_host + ".contoso.com"
+
+    try {
+        #New-ADServiceAccount -Name serviceuser1 -Path "OU=MYOU1,OU=Users,OU=ActiveDirectory,DC=contoso,DC=com" -Credential $credential -DNSHostname "contoso.com"
+        New-ADServiceAccount -Name $gmsa_account_name -DnsHostName $gmsa_account_with_domain -ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain -PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword -Path $path -Credential $credential -Server contoso.com
+        Write-Output "New-ADServiceAccount -Name $gmsa_account_name -DnsHostName $gmsa_account_with_domain -ServicePrincipalNames $gmsa_account_with_host, $gmsa_account_with_host_and_domain -PrincipalsAllowedToRetrieveManagedPassword $groupAllowedToRetrievePassword -Path $path -Credential $credential -Server contoso.com"
+    } catch {
+        $string_err = $_ | Out-String
+        Write-Output "Error while gMSA account creation and copy credspec to S3 bucket: " + $string_err
+    }
+}

cdk/cdk-domainless-mode/test-scripts/create_non_domain_joined_kerberos_leases.py

@@ -0,0 +1,64 @@
+import grpc
+import credentialsfetcher_pb2
+import credentialsfetcher_pb2_grpc
+import json
+import os
+
+'''
+Use this script to create and test N leases for N non domain-joined gMSA
+accounts. This script is run on a linux instance in stand-alone mode.
+'''
+
+with open('../data.json', 'r') as file:
+    # Load the JSON data
+    data = json.load(file)
+
+def run():
+    with grpc.insecure_channel('unix:///var/credentials-fetcher/socket/credentials_fetcher.sock') as channel:
+        number_of_gmsa_accounts = data["number_of_gmsa_accounts"]
+        directory_name = data["directory_name"]
+        netbios_name = data["netbios_name"]
+        username = data["username"]
+        password = data["password"]
+        stub = credentialsfetcher_pb2_grpc.CredentialsFetcherServiceStub(channel)
+        for i in range(1, number_of_gmsa_accounts):
+            credspec_contents = f"""{{
+                                "CmsPlugins": ["ActiveDirectory"],
+                                "DomainJoinConfig": {{
+                                    "Sid": "S-1-5-21-2725122404-4129967127-2630707939",
+                                    "MachineAccountName": "WebApp0{i}",
+                                    "Guid": "e96e0e09-9305-462f-9e44-8a8179722897",
+                                    "DnsTreeName": "{directory_name}",
+                                    "DnsName": "{directory_name}",
+                                    "NetBiosName": "{netbios_name}"
+                                }},
+                                "ActiveDirectoryConfig": {{
+                                    "GroupManagedServiceAccounts": [
+                                        {{"Name": "WebApp0{i}", "Scope": "{directory_name}"}},
+                                        {{"Name": "WebApp0{i}", "Scope": "{netbios_name}"}}
+                                    ],
+                                    "HostAccountConfig": {{
+                                        "PortableCcgVersion": "1",
+                                        "PluginGUID": "{{GDMA0342-266A-4D1P-831J-20990E82944F}}",
+                                        "PluginInput": {{
+                                            "CredentialArn": "aws/directoryservice/contoso/gmsa"
+                                        }}
+                                    }}
+                                }}
+                            }}"""
+            contents = [credspec_contents]
+            response = stub.AddNonDomainJoinedKerberosLease(
+                credentialsfetcher_pb2.CreateNonDomainJoinedKerberosLeaseRequest(
+                    credspec_contents=contents,
+                    username={username},
+                    password={password},
+                    domain={directory_name}
+                )
+            )
+            lease_path = (f"/var/credentials-fetcher/krbdir/"
+                          f"{response.lease_id}/WebApp0{i}/krb5cc")
+            assert os.path.exists(lease_path)
+            print(f"Server response: {response}")
+
+if __name__ == '__main__':
+    run()